EU cookie law: stop whining and just get on with it

Growth occurs as a series of jolts: your first kiss, your first
drink, your first pay packet. As the technology industry matures,
it's no different. But just as in real life, some people aren't too
good at dealing with change.

For the best part of two years now, parts of the online media
industry have been complaining about EU Directive 2009/136/EC,
which requires users to consent before web sites harvest data from
them.

After the government's year-long pause on enforcement, in the
wake of a highly successful industry-led campaign for common sense
enforcement, implementation is now only days away. In the UK, the
new rules kick in on Saturday 26th May.

Yet the moaning continues. Some still view the Directive as an
infernal doomsday machine that will "kill online
sales" and " kill the internet". Robert Bond of the law firm Speechly
Bircham describes the effects as "far-reaching and incredibly onerous"
for "all UK companies." Simon Davis of Privacy International argues
that proper
enforcement would "destroy the entire industry".

Those with something to gain have been spreading fear and
loathing. KPMG, a firm that never knowingly underestimates the
threats confronting its clients, recently announced that 95 percent of British businesses and public sector
organisations are "not compliant" and may therefore face fines of
up to £500,000.

Separately, QuBit, a London-based data consultancy, estimates
("worst case scenario") that the EU Directive could "cost" the British economy £10bn.

"Member States shall ensure that the
storing of information, or the gaining of access to information
already stored, in the terminal equipment of a subscriber or user
is only allowed on condition that the subscriber or user concerned
has given his or her consent, having been provided with clear and
comprehensive information."

Consent? As any teenager will tell you, much depends on how you
ask the question. If regulators ever expected web site owners
to implement an opt-in
regime like this, they don't now. Colin O'Malley, chief
strategy officer at Evidon, the US-based data and privacy company,
says he has spoken with regulators in six European nations,
including some of the most conservative members of the dreaded
Article 29 Working Party. All of them, he says, "have specifically
cautioned against going as far as opt-in".

Here's where the wiggle room opens up. Much depends on language
and design. In May 2011, for example, the Information Commission's
Office started seeking consent from users of its own web site. When
users clicked through for the first time, an overlay told users
that the site "would like to store information on your
computer".

The aggressive tone was compounded by apparent bad faith. ("One
of the cookies we use. . . has already been set".) Next, the ICO's
overlay held a metaphorical gun to its users' heads, telling them
that "parts of the site will not work. . . [if] you delete and
block all cookies".

Unsurprisingly, the result was a 90 percent decline in measured
traffic. Ever since, opponents of the directive have argued that
the end of the world is nigh.

It isn't. Instead, we're starting to see some clever and subtle
implementations. If you click through to BT's customer site, for example, the first thing you'll see is
a cleverly-worded overlay which suggests that "this website" is set
to "allow all cookies". (The language isn't threatening; moreover,
it encourages the notion that this has nothing to do with you, the
user).

The overlay goes on to explain that this has been done in order
to offer "the very best experience"(You're worth it, no?). It goes
on to say that if you click the "no, thanks" button below, you will
"consent" to "allow all cookies". (The "no thanks" button
instinctively appeals to the vast majority of users who don't want
to be sold something; it also encourages non-technical users
accustomed to things going wrong to vote for continuity).

Expect to see many more corporates adopting a similar approach.
This week, for example, FT.com took the plunge, with an overlay
strategy that resembles BT's.

We need to wait and see how many users refuse cookies at BT and
FT.com. My guess is that the number will be a lot less
than 90 percent, and that it will decrease over time. As users
encounter more sites with lookalike overlays, they'll become
accustomed to taking path of least resistance. Along the way, they
may start to understand cookies and privacy better. They may
actually start to feel confident about privacy protection.

Still unconvinced? Then examine the guidance published by Whitehall's own IT bosses for anyone
running a public sector web site. In total, the advice runs to four
pages. It doesn't feel like a user manual for coping with the end
of the world. Alternatively, take a look at the current guidelines from the Information Commissioners Office, which
strongly hint that "formal action" will be reserved for anyone who
"refuses to take steps to comply" or who has been "involved in a
particularly privacy-intrusive use of cookies".

Of course, there are perfectly understandable reasons why parts
of the online industry hate the directive with such a
passion. The first involves the cost of what the ICO describes
as "new sites and systems and upgrades". This, as one commenter
pointed out, is an industry in which it's already difficult to make
money. Well, yes: and at least some of this difficulty is
attributable to hot VC money, which has unleashed a torrent of
me-too revenue-lite ad tech start-ups. If regulation helps
consolidation on its way, the results may not be entirely
negative.

Awkwardly, the directive forces the online ad industry to think
about users, as well as data. (As the Government Digital Service
puts it: "It's not about cookies, it's about privacy.")

Like everyone else, online ad folk would much prefer to be
handed a series of binary policy decisions ("you can do this, but
not that"). Instead, they're been given some guidelines and asked
to think seriously about privacy. In the long term, this should
strengthen respect for privacy inside the industry. However, for
those who prefer not to think, the challenge is problematic.

Ad tech people are an inward-looking tribe: they need to get off
their backsides and educate the public about why metrics matter.
According to the IAB's own research, 89 percent of British surfers say they want to be
able to control their own privacy online. Yet only 37 percent
understand what a cookie is. Squaring this circle will take years
of education and innovation. The directive is pushing the industry
in this direction. Again, this is no bad thing.

Without an effort of this kind, the online industry will face a
backlash eventually. As Simon Davis of Privacy International
argues, users can rapidly become "angry customers when they find
out they have not been told the truth". On this point, he's
right.

Anyone in the UK online industry who still dreams of Ayn
Rand-style freedoms needs to wake up, and quickly. Online accounts
for 28 percent of Britain's advertising market. That's more than
the 26 percent that flows into the heavily-regulated broadcast
sector, more than the 23 percent that flows into newspapers,
currently the focus of scrutiny by Lord Leveson.

Leveson is regulation in action. For those in the
spotlight, the experience is nasty, brutish and prolonged. Measures
like the EU Directive will avert the need for an equivalent of a
Leveson Inquiry for the online ad industry in three, five or 10
years' time. For this reason alone, the online ad industry should
embrace Britain's new cookie law with open arms.

Edited by Olivia Solon

Comments

And on trundles the corporate machine, simply changing from cookies to the next tracking technology like digital fingerprints... What's in a name?You can't turn off these technologies, at least before, if you knew what you where doing, you could avoid cookie tracking, well done government you protect us well, welcome, covert tracking systems!My number is 393945A and I have been owned by the corporation my whole life.

John

May 29th 2012

As a professional, this is a pain in the ass. As a user, fuck I've been waiting for this for ages.

PLA

Jun 6th 2012

"HARVEST DATA" is a bit of strong editorial to push your view point. Google analytics is hardly gathering oppressive personal data for nefarious use! Come on be a little more balanced. The law in the most part is a pointless and most people don't care!

Ben

Jun 12th 2012

I visited the ICO website and accepted their cookies, but then I got up to go to the toilet and my teenage daughter started browsing the ICO website. They pushed their cookies on to the computer without her permission. This is clearly in breach of the law. All European and UK websites must display a pop-up and get consent with every single page load as the user may not be the same person who consented. Can we get an official statement on this issue?

Chris

Jun 21st 2012

"We know it irks many businesses. But how do we know it annoys users? Is that all users? Or some users?"
Well we can use common sense and assume that it has no benefit for the users and only the down side of annoying messages then it's going to annoy users. I've been trying to find out what the EU are trying to achieve with this move.
It seems to be a follow up to the "technical dick-swinging" move to show Microsoft who's boss by removing Internet Explorer from the Windows operating system that lead to even more variants of Windows (N) etc. for us end users to deal with.
One particular annoyance is my local library when I wanted to know what time they were open (I'm paraphrasing what the website actually said for amusement purposes)
"This web site wants to use cookies is that OK"
"Erm, out of interest… NO"
"Oh, OK that's fine…. I'm sorry but I'll have to annoy you again next time because you won't let me use a cookie to remember that I'm not allowed to use cookies".
Also, why should we stop complaining and tolerate this nonsense? What a ridiculous article.

David Homer

Jul 4th 2012

What a braindead law. You know what would be useful? If the dozen of BROWSERS were required to prompt the user. Instead of the millions upon millions of websites.

And then, preferably, only if a third-party domain is trying to set the cookie.